Secret to Stopping Spam: Follow the Money

From the editors and reporters of Scientific American , this blog delivers commentary, opinion and analysis on the latest developments in science and technology and their influence on society and policy. From reasoned arguments and cultural critiques to personal and skeptical takes on interesting science news, you'll find a wide range of scientifically relevant insights here. Follow on Twitter @sciam.

Larry Greenemeier is the associate editor of technology for Scientific American, covering a variety of tech-related topics, including biotech, computers, military tech, nanotech and robots. Follow on Twitter @lggreenemeier.

Spam comprises upward of 80 percent of incoming e-mail, despite monumental efforts by help desks and security software companies to defeat it. The reason spam volumes continue to grow is that such efforts are often misplaced and fail to hit spammers where it hurts. Instead of trying to shut down the hydralike tangle of Web servers that route spam to our in-boxes, a much more focused attack should be made to disable payment for the goods (Viagra pills, Bosley hair loss treatment, Space Bag storage, etc.) that spam is used to advertise, according to a team of researchers presenting their findings Tuesday at IEEE Symposium on Security and Privacy in Oakland, Calif.

"If you spend a bunch of money trying to plug some technical hole that has very little business impact on the bad guys, then the enterprise will continue," says Stefan Savage, an associate professor of computer science and engineering at the University of California, San Diego, (UCSD) and lead author on the study, "Click Trajectories: End-to-End Analysis of the Spam Value Chain."

When viewed as a supply-chain pipeline, it becomes clear there are many moving parts that enable a successful spam campaign. Most important to the vendor behind the deluge of unsolicited e-mails, however, is getting paid. The researchers determined that it is very difficult and disruptive for spammers to open a new account with a new bank if their current bank decides to stop authorizing or settling their customers’ credit or debit card transactions. It can take days for a merchant behind a spam campaign to find a new bank, says Savage, also director of UCSD’s Collaborative Center for Internet Epidemiology and Defenses.

Compare this with a more common approach to cut down spam—blocking spammers’ Web addresses. "With domain names, where much effort is expended to shut down [Web sites] of companies selling goods via spam campaigns, the number of alternatives is just enormous," Savage says. "There are thousands of registrars they can buy domains from." The switching cost is very cheap and it takes only hours to acquire a new domain, so the impact on spammers is very small.

As part of their research, Savage and his team set up a dummy network to receive e-mail at various usernames and monitored inbound traffic for spam, focusing on the Web addresses embedded in unwanted e-mails. Those addresses clued the team onto the next step in the supply chain. "If you buy a lot of goods, you can look to see who’s using the same suppliers," he adds. The researchers also learned a lot about spam campaign supply chains by actually buying hundreds of spam-advertised goods worth about $4,000 and then studying their own credit card statements, which provided transaction details that helped identify the banks collecting payments for spam-advertised goods.

Surprisingly, the researchers received most of the goods they ordered. "A lot of people think of this as something where they steal your money," Savage says. "In fact, that’s not the case. When you make purchases, you get the product in return."

The researchers have provided their findings to regulatory agencies—including the U.S. Food and Drug Administration, Federal Trade Commission and Department of Justice—and various companies owning brands sold via spam, according to Savage. "In the end, with respect to any kind of political or regulatory intervention, that is not something we are in a position to lead," he adds. "I predict there will be nervousness about [our] approach, both from financial institutions who probably have a vested interest in not having a lot of regulatory forbearance in the payment field but as well on the civil liberties side where there are justifiable concerns about using global payments as a vehicle to enforce public policy."

Savage, who specializes in novel cyber-security research such as projects to determine whether car computers can be hacked and house keys can be copied using digital images, emphasizes that his team’s goal has been to take a holistic view of spam, in particular the economics that drive it, rather than seeing it purely as a computer security problem. From here, it is up to policy-makers to determine whether the benefits of attacking spammers’ income stream outweigh any political obstacles.

3 Comments

I find it interesting that Scientific American gets as much spam as it does posted in these comments sections. I’ve also heard that if people would stop buying through spam, the economic incentive to send it would disappear and with it the spam.

It is horrifying that 80% of emails are spam. If you receive 100 emails a day then 80 of them are spam. Just spending 2 seconds on each email deleting it adds up to 160seconds, nearly 3 minutes. That is 18 hours in a year, just deleting spam emails!
It is a good job there are tools like temporary emails which help you mange the emails you receive in your inbox: http://www.spamratings.com/consumers/the-spam-ratings-tour

My email provider, hotmail, does a decent of screening out spam and placing it in the junk mail folder. I check to make sure that there are no non-junk msg and then empty it.

I cannot understand people who respond to these things. If we all learned how to recognize spam and didn’t respond to it, spammers would go away.

Phones have their spammers as well and someone must respond and shell out a lot of bucks because it’s a thriving business. This tells me we have a lot of really stupid people out there who enjoy giving away their money.

Education is the answer, I guess, but how do we implement it and where?